grant access to devops repo only without access to project? - azure-devops

In Azure devops is it possible to grant access (read-only) to a repo in a project without the user having access to the project containing the repo?
We want to use the repo basically as a file share with clients that shouldn't be able to see all our code/scripts/pipelines etc that exist in the parent project and other repos.
As stakeholder access on the project and Reader rights on the repo they had too much access to the project. Removing them from the project and creating a new group with limited repo rights they got to a forbidden, access denied screen which makes me think they have to have access to the project.
My testing is limited because of corporate environment I am unable to create additional users/emails and don't want to have to keep asking co-workers to test every change I could try.

Azure DevOps is designed to enable all valid users to view all objects defined in the system. You can restrict access to specific resources by setting the permission state to Deny.
So not quite sure if this specific requirement is achievable. The closest you could probably get to is this: Assign read-only rights to a single repository in Azure DevOps.
Here is a very similar idea on Developer Community from 2019: Restrict access to dev ops functionality for a guest user. One more resolved post: Restrict access to specific objects in DevOps.
If you think this implementing this suggestion can benefit others in the Community as well, do request it as a new feature on Developer Community for Azure DevOps.
Also go through the elaborate documentation available for configuring ADO granular security controls and check if changing individual permission at the project-level helps.

Related

How Do I Restrict Access To Viewing Azure DevOps Project Settings?

I want to add a group/user to an Azure DevOps project with just access to repositories and pipelines.
If I deny "View project-level information" they don't have access to the project at all.
If I allow the "View project-level information" it gives them a read-only access to the Project Settings including permissions to see users and members of other groups etc.
It seems unbelievable that such a basic security and privacy hole exists.
Am I missing something in the config because I have never seen this in any other application and I find it hard to believe that everyone else using Azure DevOps finds this acceptable.
The easiest equivalent is GitHub (that Microsoft now owns) and you can't see the project settings if you are just a contributor.
How do I give external contractors access to the project to work but prevent them from viewing the Project Settings?
There is no possibility to restrict access to the Team Project - Project Settings page. The only thing that comes close is the feature that is now in preview: Limit user visibility and collaboration to specific projects, which will enable you to restrict access to the Organization Settings. You could suggest this feature in the Microsoft Developer Community.

Azure DevOps default read access to members of organization on new projects

I manage an Azure DevOps organization with a couple dozen users, all with either Visual Studio subscriber or Basic user access level on the organization.
When someone creates a new project, which need to be private repos, I want all the organization users to automatically get read access to see the project and clone repos. Is there a way to do that? Everything works great once we grant the access at the project level, but sometimes people create projects and don't grant the access, so I don't know what projects exist. Do we need to rely on people creating the projects to grant read access to the group of users when they create them?
When someone creates a new project, which need to be private repos, I
want all the organization users to automatically get read access to
see the project and clone repos. Is there a way to do that?
This is not supported by design.
To protect private project, Azure Devops doesn't support automatically granting any access of newly created project to those normal Organization-level users unless the users belongs to the PCA (Project Collection Administrators, highest level in whole Org. It shouldn't be granted to normal users).
So we do need to rely on people creating the projects to grant read access to the group of users when they create them. Apart from project creators(people creating the projects), PCA or project administrators can also do this job.
You can create a new organization group which contains the Org users:
Then grant the access to those users by manually adding this group as member of default Project Reader group:

Azure DevOps view code via web restriction

Does anybody know if it is possible to prevent a user of Azure DevOps from being able to see code on the web interface and force to checkout locally in order to see it. I am looking this feature in Team Foundation Server 2015 as well.
Does anybody know if it is possible to prevent a user of Azure DevOps from being able to see code on the web interface and force to checkout locally in order to see it.
To achieve this, we could set the access level of that specify user as stakeholder.
In this case, that user do not have permissions to see code on the web interface:
To checkout it locally, we could provide a PAT, which have permission access the repo to the user, so that that user could use git command line to checkout it:
git clone <repo>(https://<PAT>#dev.azure.com/<OrganizationName>/MyTestProject/_git/TestSample) <directory>
Besides, this method should also work for Team Foundation Server 2015.
Update:
is it posible to just restrict view of code on the web for a user with
a visual studio subscription, the porblem is that an stakeholder might
be very limited...
The answer is yes. Go to the Project Settings-> Repositories-> Add a specify user and set the Read permission as Deny:
Then we could not acess the code on the web UI:

Manage permissions to run azure devops pipelines and permissions to change variable groups pragmatically

I am reading through this documentation - https://learn.microsoft.com/en-us/rest/api/azure/devops, I can't see a clear answer on how one can manage permissions to run pipelines and permissions to edit variable groups through the Rest API.
For security management with REST APIs you can refer to Security for details. Some of the REST APIs are not documented, however we can track them by develop tools (the simplest way is pressing F12 in your browser).
In your scenario seems you are trying to manage the permission of the pipelines in a specific project. If so, we can navigate to the Pipeline node -> Manage security -> Select the specific group/user to set the permission accordingly, (Just track the APIs when do the actions).
To run the pipelines, we at least need the View build pipeline , View builds, Queue builds permissions. You can also set other permissions as needed.
For example, just Deny the Queue builds permission for the Contributors group:
POST https://dev.azure.com/{organization}/{Project}/_api/_security/ManagePermissions?api-version=5.1
Sample Request Body:
{"updatePackage":"{\"IsRemovingIdentity\":false,\"TeamFoundationId\":\"24cb2a78-4d79-49d6-b96c-bf0ac65d7032\",\"DescriptorIdentityType\":\"Microsoft.TeamFoundation.Identity\",\"DescriptorIdentifier\":\"S-1-9-1551374245-3809964236-1275365961-2582801090-4223875273-1-492339072-1927234371-3142690236-612141869\",\"PermissionSetId\":\"33344d9c-fc72-4d6f-aba5-fa317101a7e9\",\"PermissionSetToken\":\"cc7017e3-044c-498a-99f2-6ac2fbc338c9\",\"RefreshIdentities\":false,\"Updates\":[{\"PermissionId\":2,\"PermissionBit\":128,\"NamespaceId\":\"33344d9c-fc72-4d6f-aba5-fa317101a7e9\",\"Token\":\"cc7017e3-044c-498a-99f2-6ac2fbc338c9\"}],\"TokenDisplayName\":null}"}
Do the same things to track the APIs to manage the variable groups.
In addition, you can also use the Azure CLI to manage the permissions, refer to az devops security for details.

Azure devops stakeholder access

I have a setup on Devops where I want to give and external account (not part of the company) access to the repos. I thought that the Stakeholders would have at least read only access there but seems not.
I've invited a new user (external) with Access Level = Stakeholder, given access to the project X and made him a member of Project Contributors for the project.
So the question is, should Stakeholders here have access to the repos? is there a way for me to do this?
If you are using private repos for your project then stakeholders only have access to the following features:
Dashboards, Wiki, Boards, Project and Organization settings - Partial access
Repos, Test Plans - No access
Pipelines, Notifications, Semantic Search - Full access
If you are using public repos for your project then stakeholders only have access to the following features:
Dashboards, Wiki, Boards, Repos, Pipelines, Notifications, Semantic Search - Full access
Test Plans - No access
Project and Organization settings - Partial access
If you want details on Stakeholder access rights for each of the features, go here
I hope that helps.